A typical pattern for security companies is to offer a standalone antivirus as well as a security suite that integrates features like firewall, spam filtering, and parental control. Webroot doesn't quite fit that mold. Webroot's basic antivirus (which wins an Editors' Choice award) includes a kind of firewall protection, and to that Webroot SecureAnywhere Internet Security Plus adds Android support and a password manager. Webroot's Android app is full-featured and effective, but the password manager is in sad shape.

At $59.99 per year for three licenses, Webroot costs less than most competing suites. Bitdefender and Kaspersky cost $20 more for three licenses. If you want five Webroot licenses, you pay $69.99 per year. Five Norton licenses will run you $89.99 per year. For the same price as Norton, you can install McAfee Internet Security on every device in your household.

You can use your Webroot licenses to install protection on devices running Windows, macOS, or Android. However, on a Mac you just get Webroot SecureAnywhere Antivirus (for Mac), without any additional suite features. And the Android security app costs $14.99 per year as a standalone. You get the most bang for your buck installing Webroot on Windows.

The suite's main window is identical to that of the standalone antivirus. There isn't even a different window title; both just say "Webroot SecureAnywhere." You won't see any difference until you click the Password Manager button. If you've installed the suite, you see two buttons, Start Now and Learn More. In the antivirus, you just see Learn More. If you click Learn More, what you learn is that to get password management you need to buy the suite.

Shared Malware Protection

Everything that's in Webroot SecureAnywhere AntiVirus also comes with this suite, of course. Please read my review of the basic antivirus for full details of my findings. Here, I'll simply summarize.

Malware Protection Results Chart
Phishing Protection Results Chart

While Webroot maintains a minimal local malware database, it relies mainly on behavior-based detection to classify unknown programs as safe or malicious. It journals all actions by unknown processes and reports the behavior pattern to its cloud database (if the cloud is unavailable, it journals actions by all new processes). If the cloud gives a thumbs-down, the local agent eliminates the threat and rolls back the malware's activity. This system can even reverse a ransomware attack, provided the ransomware doesn't encrypt so many files it overloads the journaling system. Webroot wiped out all my actual ransomware samples before they could take effect, but I cobbled up a ransomware simulator and verified that Webroot reversed its effects.

This journal and rollback system isn't compatible with tests by most of the independent labs. In the past, Webroot did pass the very difficult tests performed by MRG-Effitas; my contacts tell me it will appear in that lab's reports again. For comparison, Bitdefender and Kaspersky participate with all four of the labs that I follow. My lab score algorithm yields 9.9 points for Bitdefender and a perfect 10 for Kaspersky Internet Security.

With no lab test results, my own hands-on tests become more important. Like Norton, Webroot aced my hands-on malware protection test, detecting 100 percent of the samples and earning 10 of 10 possible points. A full scan of a malware-free test system finished in just seven minutes. This is impressive, given that the average scan time for current products is just short of an hour.

As a measure of each product's ability to block current, active malware, I take a list of malware-hosting URLs no older than a day and try to launch each one. I give the product equal credit for preventing all access to the URL and for eliminating the malware during or just after download. Of 100 such URLs, Webroot blocked 88 percent, most by wiping out the malware after download. That's impressive, since its behavior-based system didn't even get a chance to see these threats running. Norton owns this test, however, with 98 percent protection. At 97 percent protection, Trend Micro Internet Security is close behind.

Phishing websites differ from malware hosting sites in that there's no malware involved. Rather, the fraudsters who create them hope to trick you into entering your login credentials for bank sites, email sites, and even dating sites. Because these sites come and go quickly, I test with the very newest ones. Webroot's detection rate was just five percentage points lower than that of Norton, my antiphishing touchstone. That's very good. Out of all current products, only Bitdefender Internet Security and Trend Micro have outscored Norton.

Other Shared Features

Webroot packs a firewall into the antivirus, but it doesn't attempt to replace Windows Firewall. Rather, it monitors network activity by unknown programs and prevents them from exfiltrating your data. If the antivirus detects ransomware on the system, the firewall clamps down, preventing all network access by untrusted programs. In testing, I couldn't find any way that a malware coder could disable Webroot's protection.

If you're not a security expert, most of the other shared features aren't for you, but they can be extraordinarily helpful if a tech support agent working on manual malware remediation has to remotely control your machine. There are tools to repair collateral damage after a malware attack, quickly reboot into Safe Mode, and manually repair malware damage. An active process list shows which processes are trusted and which are being monitored by Webroot. Finally, the SafeStart Sandbox lets experts launch a suspect program under limitations that prevent it doing damage.

Problematic Password Manager

If you're a long-time LastPass user, you may recognize Webroot's password manager, as it's a licensed and re-branded version of an old iteration of LastPass. That means it lacks the features added in LastPass Premium version 4.0, such as password inheritance, shared password folders, and automated password changing. The dated user interface clearly didn't benefit from the facelift LastPass got with its latest version.

Webroot doesn't even include every feature from the version of LastPass on which it's based. It doesn't attempt application password management, two-factor authentication, or password sharing. You can't create secure notes, nor can you define multiple identities within the program. It doesn't offer the impressive Security Challenge report that helps LastPass users improve their password security, either.

It gets worse. When I began testing, the password manager was not working in Chrome. Webroot contact says the company has "filed a defect" with LastPass and got the problem fixed just before publication of this review. It does not work in 32-bit Firefox. If you've used Firefox for a long time, chances are good you still have the 32-bit version, as the normal update process doesn't switch you to 64-bit. Even when I updated Firefox on my test system to 64-bit, the password manager still didn't install.

The password manager extension showed up in the add-ons list for Internet Explorer both in my virtual machine test system and on a physical machine. However, it didn't capture passwords, and didn't automatically fill existing passwords. A Webroot tech support expert remote-controlled the test system and managed to get the password manager working in Firefox. However, clicking Save Site when it offered to save passwords appeared to fail. The support agent suggested I choose Tools > Advanced Tools > Refresh Sites after each capture. That worked, but it's awkward. And the agent couldn't solve the problem with Internet Explorer.

You reach Webroot's equivalent to the LastPass Vault by logging in to your Webroot account online. The login process is a bit more complex than simply entering a password, though it's not precisely two-factor. In addition to the password, you define a six-digit PIN. Once you've entered the password, the site asks for two specific digits out of that PIN, a different pair each time, to foil any possible key-logging attack.

When it's working properly, the password manager captures credentials as you log in and replays them when you revisit a site. You can name saved entries and put them in folders at capture time, or organize them later. If you like, you can create a tree of folders and subfolders. When you click the browser toolbar button, these become a set of menus and submenus holding your saved sites. Select one and Webroot both navigates there and logs you in.

Websites that use a non-standard login form baffle some password managers. Like Sticky Password Premium and a few others, Webroot handles these sites by letting you manually capture data from all fields of the form. Just fill in your username, password, and any other required information. Then click the browser toolbar button and choose Tools, then select Save All Entered Data. I found that this feature worked in the Internet Explorer installation where automated password capture did not.

A powerful password generator lets you create a random, unique password when signing up for a new site or updating a weak or duplicate password. However, it defaults to generating 12-character passwords using just letters and numbers. I strongly advise checking the box for special characters and raising the length to at least 16 characters. Note that 16 characters using all character sets is the default for True Key, while Password Boss Premium and 1Password default to 20 characters

You can import passwords from almost two dozen competing products, among them Dashlane, Sticky Password, and RoboForm, or import a generic CSV file. However, looking at the list of products for import, I found about half of them to be unfamiliar.

Like many password managers, Webroot can fill Web forms with your saved information. You can create multiple profiles, each containing personal data, contact data, one credit card, one bank account, and any custom fields that you need. You can also add any number of credit cards separately. When Webroot detects a fillable form, it offers a menu that lets you choose a profile to fill the form, or choose a profile and a credit card. Note that if you try to fill personal information on a page that's not secure, Webroot will warn you there's a problem. In testing, I found that it did not automatically offer a menu of identities, but when I chose one from the toolbar menu, it filled the form correctly.

In summary, the password manager looks dated. Worst, it's based on an old version of LastPass, but it doesn't even have all the features of the free edition of LastPass. It doesn't work in 32-bit Firefox. I couldn't get it to work fully even in 64-bit Firefox. And in my testing on Internet Explorer, it failed to capture passwords at login.

Start by installing the free Webroot Mobile Security from the Play store. During installation, you get an opportunity to activate premium features using your registration code; you can also upgrade by entering the code later. As with most such utilities, you must activate Device Administrator privileges. The app itself walks you through activating some important components and installing Webroot's SecureWeb browser.

The antivirus component requests a full scan at installation and automatically runs a full scan every week. It scans new apps, files you download, and apps you launch. Of course, you can manually request a full scan any time.

You manage antitheft features through the online console. If you've mislaid your device around the house, you can log in and select Scream. Be warned, it doesn't make a beep or a siren; it literally screams. If you lost the device, or someone stole it, you can lock it remotely, with an optional custom message. You can query its location, which also locks it. And if all else fails, you can remotely wipe it with a factory reset. When you choose to lock or locate the device, or make it scream, you define a temporary PIN of four to 16 digits. If you recover the device, you'll have to enter that PIN to unlock it.

The useful App Inspector flags apps that can access your messages, cost you money, access sensitive information, or track your location. Initially it just shows how many apps match each category. Tapping a category gets a full list, and tapping any app takes you to the Android uninstall page for that app. There's also a battery monitor to identify battery-hog apps, as well as a seriously geeky network monitor.

I tested the Android app on a Nexus 9 running Android 5 (Lollipop). The battery monitor didn't display the expected list of apps and their battery usage, and the real-time usage monitor wasn't available. My Webroot contact explained that in Android versions after KitKat, Google "removed our ability to provide real-time stats." That does mean that about three quarters of all Android users won't get the benefit of this feature.

When you use the SecureWeb browser, you get the same kind of protection against malware-hosting URLs and phishing sites that the browser extensions offer under Windows. It's also the way you access the password manager. Note that even when you've logged in with your master password, password management isn't quite as automatic as the Windows version. To start, it doesn't capture logins, just plays them back. You must navigate to a secure site, choose Vault from SecurWeb's menu, and then choose AutoFill. You fill forms in much the same way.

When you access the Vault itself on Android, you just get an alphabetical list of saved sites, without any categories. You can tap an item to visit the site (after which you'll use AutoFill as above) or view the site details. But there's no ability to edit the items the way you can in Windows. LastPass (for Android) has virtually all the same features as LastPass on a PC, including the ability to create and edit new logins, securely share passwords, and leave your passwords to an inheritor in the event of your demise.

Webroot does support iOS as well, to a small degree. Specifically, you can install the free SecureWeb app on your iOS devices and thereby get protection against bad sites and access to Webroot's password manager. Doing so doesn't use up any of your precious licenses.

Zero Performance Impact

From the start, Webroot has been famous for its tiny size and low resource usage. The main application is about 1MB in size. Webroot uses just two processes and one Windows service, while other popular products need a dozen or more.

My simple hands-on tests measure changes in the time required to boot the system, to move and copy a large collection of files between drives, and to zip and unzip that same collection repeatedly. I average multiple runs before and after installing the suites, and report the difference.

Like Symantec Norton Security Deluxe and adaware antivirus total, Webroot didn't slow down any of my tests. In fact, the average time for all three came in slightly faster than before I installed Webroot.

Doesn't Add Enough

Webroot SecureAnywhere Internet Security Plus includes the same unusual antivirus protection that made Webroot SecureAnywhere AntiVirus an Editors' Choice in the antivirus category, but upgrading to this suite doesn't get you much. Its password manager, based on an antique version of LastPass, is in disarray, so much so that I couldn't fully test it. It does let you install protection on your Android devices, but that protection is available separately for $14.99. If you need antivirus and password management, you'd do better to install Webroot's antivirus and the free version of LastPass.

For a powerful security suite, one offering all the expected features, you'll be better off with Bitdefender Internet Security or Kaspersky Internet Security. These Editors' Choice suites cost more than Webroot, but they also give you a lot more, and the independent testing labs consistently give their antivirus protection perfect or near-perfect ratings.

Sub-Ratings:Note: These sub-ratings contribute to a product's overall star rating, as do other factors, including ease of use in real-world testing, bonus features, and overall integration of features.Firewall: Antivirus: Performance: Privacy: Parental Control: n/a

About the Author

Neil Rubenking served as vice president and president of the San Francisco PC User Group for three years when the IBM PC was brand new. He was present at the formation of the Association of Shareware Professionals, and served on its board of directors. In 1986, PC Magazine brought Neil on board to handle the torrent of Turbo Pascal tips submitted by readers. By 1990, he had become PC Magazine's technical editor, and a coast-to-coast telecommuter. His "User to User" column supplied readers with tips and solutions on using DOS and Windows, his technical columns clarified fine points in programming and operating systems, and his utility articles (over forty of ... See Full Bio